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The Targets 


■ Flash Player Protected Mode For Firefox (Firefox 
Flash) 

- Version 11.3.300.257 

■ Flash Player Protected Mode For Chrome (Chrome 
Flash) 

- Version bundled with 20.0.1132.47 

■ Flash Player Protected Mode for Chrome Pepper 
(Pepper Flash) 

- Version bundled with 20.0.1132.47 
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Architecture > Flash Player Protected Mode For 
Firefox 

Flash Player Protected Mode For Firefox 
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Architecture > Flash Player Protected Mode For 
Firefox 

■ On by default but can be disabled via the mms.cfg 
configuration file 

ProtectedMode = 0 


Digging Deep Into The Flash Sandboxes 


IBM Security Systems | © 2012 IBM Corporation 







Architecture > Flash Player Protected Mode For 
Chrome 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 


Chrome Browser Process 

(chrome.exe) 



Chrome Renderer Process 



(chrome.exe) 






Flash Broker Process 

(rundll32.exe, gcswf32.dll!BrokerMain) 


Chromium IPC 
(Plugin Management 
Channel) 


Flash Plugin Process 

(chrome.exe, gcswf32.dll) 
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Architecture > Flash Player Protected Mode For 
Chrome Pepper 

Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 
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Sandbox Mechanisms 


■ Startup Sequence 

■ Sandbox Restrictions 

■ Interception Manager 

■ Inter-Process Communication 

■ Services 

■ Policy Engine 

■ Putting It All Together 
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Mechanisms > Startup Sequence 


1. The broker process is started 

2. The broker process sets up the sandbox restrictions 

3. The broker process sets up the policies 

4. The sandbox process is spawned in a suspended 
state 

5. The broker process sets up interceptions in the 
sandbox process 

6. The sandbox process resumes execution 
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Mechanisms > Startup Sequence 


Firefox Flash 
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SANDBOX MECHANISMS 

SANDBOX RESTRICTIONS 





Mechanisms > Sandbox Restrictions 


■ Based on Practical Windows Sandboxing Recipe 

■ Flash plugin process is sandboxed using: 

- Restricted Tokens 

- Integrity Levels 

- Job Objects 

- Alternate Window Station and Alternate Desktop 
(Pepper Flash Only) 
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Mechanisms > Sandbox Restrictions > Restricted Tokens 


Chrome Flash 

Firefox Flash Pepper Flash 

Enabled SIDs -User's SID 

•User's SID -Logon SID 

(Deny-Only SIDs -Logon SID 

•Logon SID 
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•Everyone 
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•Users 
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•Users 
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Mechanisms > Sandbox Restrictions > Integrity Level 



Chrome Flash 

Firefox Flash 

Pepper Flash j 

Integrity Level 

Low 

Low 

Untrusted 


■ Low or Untrusted integrity level prevents write 
access to most securable resources 

■ Low or Untrusted integrity level mitigates shatter 
attacks 
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Mechanisms > Sandbox Restrictions > Job Objects 



Chrome Flash 

Firefox Flash 

Pepper Flash 1 

Job Restrictions 

1 restriction 

7 restrictions 

11 restrictions 


■ Pepper Flash has the most job restrictions 

■ Important job restrictions enforced only on Pepper 
Flash: 

- Read from clipboard 

- Write to clipboard 

- Accessing global atoms 
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Mechanisms > Sandbox Restrictions > Alternate 
Window Station and Alternate Desktop 



Chrome Flash 

Firefox Flash 

Pepper Flash 

Alternate Window 
Station and 

Alternate Desktop 

No 

No 

Yes 


■ Pepper Flash is the only sandboxed Flash that uses an 
alternate window station and alternate desktop 

■ Firefox Flash compensates via UILIMIT_HANDLES job 
restriction and running under Low integrity 
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SANDBOX MECHANISMS 

INTERCEPTION MANAGER 





Mechanisms > Interception Manager 


■ Transparently forwards API calls from the sandboxed 
process to the broker or browser process via IPC 

■ Done via API interception (API hooking) 

■ API calls are evaluated by the policy engine against 
sandbox policies 
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Mechanisms > Interception Manager > Example 
Interception Types 


■ INTERCEPTION_SERVICE_CALL- NTDLL API patching 


MOV EAX,<ServiceID> 

MOV EDX,<ThunkCodeAddres s> 
JMP EDX 


■ INTERCEPTION_SIDESTEP-API entry point patching 

JMP <ThunkCodeAddress> 

<original API code> 

<original API code> 

<. . .> 


■ INTERCEPTION_EAT- Export Address Table patching 
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Mechanisms > Interception Manager > In Chrome Flash 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 
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Mechanisms > Interception Manager > In Pepper Flash 


Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 
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Mechanisms > Interception Manager > In Firefox Flash 


Flash Player Protected Mode For Firefox 
(Firefox Flash) 
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Mechanisms > IPC 


■ Used for communication between Flash sandbox 
processes 

■ 3 IPC implementations were used: 

- Sandbox IPC 

- Chromium IPC 

- Simple IPC 

■ IPC message structure details are in the companion 
whitepaper 
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Mechanisms > IPC > Sandbox IPC 


■ From the Chromium project 

■ Used by all Flash sandbox implementation 

■ Originally used for forwarding API calls from a 
sandboxed process to a higher-privileged processes 

■ In Firefox Flash: Additionally used for invoking 
additional services exposed by Firefox Flash broker 
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Mechanisms > IPC > Sandbox IPC > In Chrome Flash 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 
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Mechanisms > IPC > Sandbox IPC > In Pepper Flash 

Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 
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Mechanisms > IPC > Sandbox IPC > In Firefox Flash 


Flash Player Protected Mode For Firefox 
(Firefox Flash) 
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Mechanisms > IPC > Chromium IPC 


■ From the Chromium project 

■ Used by all Flash sandbox implementation 

■ Used for invoking services exposed by higher- 
privileged and lower-privileged processes 

■ IPC messages are dispatched by Listener classes to 
service handlers 

■ IPC messages may be passed (routed) by a Listener 
to other Listeners 
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Mechanisms > IPC > Chromium IPC > In Chrome Flash 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 
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Mechanisms > IPC > Chromium IPC > In Pepper Flash 


Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 



Digging Deep Into The Flash Sandboxes 


IBM Security Systems | © 2012 IBM Corporation 




























Mechanisms > IPC > Chromium IPC > In Firefox Flash 


Flash Player Protected Mode For Firefox 
(Firefox Flash) 
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Mechanisms > IPC > Simple IPC 


■ Developed by Google and hosted at 
http://code.google.eom/p/simple-ipc-lib/ 

■ Used only on Chrome Flash 

■ Used for invoking services exposed by the Chrome 
Flash Broker 
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Mechanisms > IPC > Simple IPC > In Chrome Flash 
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Mechanisms > Services 


■ Services exposed by Flash sandbox processes 

■ Invoked via the IPC mechanisms previously discussed 

■ Detailed list of services are in the companion 
whitepaper 
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Mechanisms > Services > Chrome Sandbox Services 


■ Hosted in the Chrome browser process and handles 
forwarded APIs 

■ Invoked via Sandbox IPC 

■ Service handlers are methods of Dispatcher classes 

■ Example Dispatcher classes: 


Dispatcher Class 

Purpose 

FilesystemDispatcher 

Handles forwarded filesystem-related 
NTDLL.DLL API calls. 


RegistryDispatcher Handles forwarded NtOpenKeyQ and 

NtCreateKeyQ API calls. 
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Mechanisms > Services > Chrome Sandbox Services > 
Chrome Flash 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 
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Mechanisms > Services > Chrome Sandbox Services > 
Pepper Flash 


Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 
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Mechanisms > Services > Chrome Plugin Services 

■ Services exposed by Chrome browser and Chrome 
renderer to out-of-process NPAPI and PPAPI plugins 

■ Invoked via Chromium IPC 

■ Invoked using message classes (names are prefixed 
with type of message) 

Send(new PpapiMsg_LoadPlugin(plugin_path_)); 

■ Listeners dispatch the IPC message in their 
OnMessageReceivedQ or 
OnControlMessageReceived() method 
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Mechanisms > Services > Chrome Plugin Services > 
NPAPI Plugins (Chrome Flash) 

■ Services exposed by Chrome browser 


Messages 

Listener 

Purpose 

PluginProcessHostMsg_* 

PluginProcessHost 

Sending plugin status or 
notifications to the browser 

process. 


■ Services exposed by Chrome renderer 


Messages 

Listener 

Purpose 

PpapiHostMsg_* 

PluginChannelHost 

Support services for NPAPI NPN_* 


WebPluginDelegateProxy 

calls. 



Renderer uses the services exposed 
by the browser (via the browser- 
renderer channel) to handle 
privileged NPAPI service requests. 
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Mechanisms > Services > Chrome Plugin Services > 
NPAPI Plugins (Chrome Flash) 

Flash Player Protected Mode For Chrome 
(Chrome Flash) 


Chrome Browser Process 

(chrome.exe) 


'I PluginProcessHost 


RenderProcessHostlmpI 


. Render Throadlmpl 


Chrome Renderer Process 

(chrome.exe) 

[Sandboxed, Untrusted Integrity] 


: PluginChannelHost 


Flash Broker Process 

(rundll32.exe, gcswf32.dll!BrokerMain) 


Chromium IPC 
(Plugin Management 
Channel) 


PluginThread 


| PluginChannol 


Flash Plugin Process 

(chrome.exe, gcswf32.dll) 
[Sandboxed, Low Integrity] 
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Mechanisms > Services > Chrome Plugin Services > 
PPAPI Plugins (Pepper Flash) 

■ Services exposed by Chrome browser 


Messages 

Listener 

Purpose 

PpapiHostMsg_* 

PpapiPluginProcessHost 

Sending plugin status or 
notifications to the browser 

process. 


■ Services exposed by Chrome Renderer 


Messages 

Listener 

Purpose 

PpapiHostMsg_* 

Subclasses of 

PPAPI services. PPAPI services are exposed by 


InterfaceProxy 

a process via interface proxies 
(InterfaceProxy). 



Renderer uses the services exposed by the 
browser (via the browser-renderer channel) 
to handle privileged PPAPI service requests. 
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Mechanisms > Services > Chrome Plugin Services > 
PPAPI Plugins (Pepper Flash) > Interface Proxies 

■ PPAPI Interface Proxy examples: 


Message 

Interface Proxy 

Purpose 

PpapiHostMsg_- 

PPBFileChooser_* 

PPB_FileChooser_Proxy 

Open/save dialog services 

PpapiHostMsg_- 

PPB_Flash_Clipboard_- 

Clipboard services 

PPBFIashClipboard_* 

Proxy 


PpapiHostMsg_- 

PPBVideoCapture_* 

PPB_VideoCapture_Proxy 

Video capture services 
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Mechanisms > Services > Chrome Plugin Services > 
PPAPI Plugins (Pepper Flash) 

Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 
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Mechanisms > Services > Chrome Flash Broker Services 

■ Additional services exposed by the Chrome Flash 
broker to the sandboxed Flash plugin 

■ Invoked via Simple IPC 

■ Example services: 


Service 

Purpose 

Dialog Services 

Opening an open/save file dialog. 


Filesystem Services Brokering calls to FindFirstFileWQ, FindNextFileWQ, 

CreateFileWQ, MoveFileExWQ and CreateDirectoryWQ. 


Miscellaneous Such as launching the Flash settings manager. 

Services 
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Mechanisms > Services > Chrome Flash Broker Services 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 
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Mechanisms > Services > Firefox Plugin Container 
Services 


■ NPAPI services exposed by the plugin container to 
the sandboxed Flash plugin 

■ Invoked via Chromium IPC 

■ Example services: 


Messages 

Listener 

Purpose 

NPAPIFIostChannel 

Messages 

NPAPIFIostChannel 

Proxying NPAPI NPN_* calls from the 

Flash plugin to the Firefox browser 
process. 


NPAPIPIuginProxy NPAPIPIuginProxy Proxying NPAPI NPN_* calls from the 
Messages Flash plugin to the Firefox browser 

process (for NPAPI APIs requiring a plugin 
instance). 
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Mechanisms > Services > Firefox Plugin Container 
Services 


Flash Player Protected Mode For Firefox 
(Firefox Flash) 
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Mechanisms > Services > Firefox Flash Broker Services 

■ Firefox Flash Broker exposes services to: 

- Sandboxed Flash plugin 

- Plugin container 

■ Services can be categorized into: 

- Sandbox (forwarded API) Services 

- Flash (additional) Services 

- Permission Services 
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Mechanisms > Services > Firefox Flash Broker Services > 
Sandbox and Flash Services 

■ Services exposed to the sandboxed Flash plugin 


process 

■ Invoked via Sandbox IPC 

■ Example Dispatchers: 


Dispatcher Class 

Purpose 

FilesystemDispatcher 

Handles forwarded filesystem-related 
NTDLL.DLL API calls. 


SandboxWininetDispatcher Mostly handles forwarded WININET.DLL API 

calls. 

SandboxBrokerServerDispatcher Miscellaneous broker services (e.g. launching 

the Flash Player settings manager). 
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Mechanisms > Services > Firefox Flash Broker Services > 
Permission Services 

■ Permission services exposed by the Flash broker to 
the plugin container 

■ Invoked via Chromium IPC 

■ Example services: 


Messages 

Listener 

Purpose 

PermissionsBrokerChannel 

Messages 

PermissionsBrokerChannel 

(As of Firefox Flash 11.3) 
Granting/denying the 
sandboxed process 
access to window 
handles. 
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Mechanisms > Services > Firefox Flash Broker Services 


Flash Player Protected Mode For Firefox 
(Firefox Flash) 
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Mechanisms > Policy Engine 


■ Responsible for evaluating the API calls against the 
sandbox policies 

■ Allows the broker to specify exceptions to the default 
restrictions in the sandbox 

■ These whitelist rules grant the sandbox specific 
access to certain objects, overriding the sandbox 
restrictions 


Digging Deep Into The Flash Sandboxes 


IBM Security Systems | © 2012 IBM Corporation 





Mechanisms > Policy Engine > Adding Policy Rules 

■ Policy rules are added programmatically, using the 
sandbox::PolicyBase::AddRule() function: 

AddRule(subsystem, semantics, pattern) 


■ subsystem - indicates the Windows subsystem the 
rule apply 

■ semantics - indicates the permission that will be 
applied 

■ pattern - expression to match the object name the 
policy will be applied to 
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Mechanisms > Policy Engine > Adding Policy Rules 


Examples of Subsystems 

Subsystem 

Description 

SUBSYS_FILES 

Creation and opening of files and pipes. 

SUBSYS_NAMED_PIPES 

Creation of named pipes. 

SUBSYS_PROCESS 

Creation of child processes. 

SUBSYS_REGISTRY 

Creation and opening of registry keys. 


■ Examples of Semantics 


Semantics 

Description 

FILES_ALLOW_ANY 

Allows open or create for any kind of access that the file system 
supports. 

NAMEDPIPES_ALLOW_ANY 

Allows creation of a named pipe. 

REG_ALLOW_ANY 

Allows read and write access to a registry key. 
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Mechanisms > Policy Engine > Adding Policy Rules 


■ Examples 

AddRule(SUBSYS_FILES, FILES_ALLOW_ANY, 

"C:\Users\p01\AppData\Roaming\Macromedia\Flash 
Player\*") 


AddRule(SUBSYS_REGISTRY, REG_ALLOW_ANY, 
"HKEY_CURRENT_USER\Software\Macromedia\FlashPlayer*") 
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Mechanisms > Policy Engine > Firefox Flash > Admin- 
Configurable Policies 

■ Firefox Flash allows custom policies through a 
configuration file. 

■ Custom policy file is enabled if 
ProtectedModeBrokerWhitelistConfigFile option is 
set to 1 in mms.cfg. 

■ The policy file is named 

ProtectedModeWhitelistConfig.txt and is placed in: 

- %WINDIR%\System32\Macromed\Flash (32-bit Windows) 

- %WINDIR%\SysWow64\Macromed\Flash (64 bit Windows) 
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Mechanisms > Policy Engine > Firefox Flash > Admin- 
Configurable Policies 

■ Policy rules take the following format: 

POLICY_RULE_TYPE = pattern string 


■ POLICY_RULE_TYPE is a subset of semantics and 
indicates the permission that will be applied. 

■ Example 

FILE S_ALLOW_ANY = "c:\logs\*" 
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SANDBOX MECHANISMS 

PUTTING IT ALL TOGETHER 





IBM 

Mechanisms > Putting It All Together > Chrome Flash 


Flash Player Protected Mode For Chrome 
(Chrome Flash) 
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Mechanisms > Putting It All Together > Pepper Flash 


Flash Player Protected Mode For Chrome Pepper 
(Pepper Flash) 
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Mechanisms > Putting It All Together > Firefox Flash 


Flash Player Protected Mode For Firefox 
(Firefox Flash) 
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Sandbox Limitations 


"What can a malicious code do once it is 
running within a Flash sandbox?" 
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Sandbox Limitations > File System Read Access 


■ Firefox Flash allows read access to all files that are 
accessible from the user's account. 

- The sandbox process token still has access to some 
files (such as those accessible to the Everyone and 
Users group) 

- There is a hard-coded policy rule that allows read 
access to all files 

SubSystem=SUBSYS_FILES 

Semantics=FILES_ALLOW_READONLY 

Pattern="* M 
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Sandbox Limitations > File System Read Access 

■ Chrome Flash allows read access to all files that are 
accessible from the user's account. 

- The sandbox process token still has access to some 
files (such as those accessible to the Everyone and 
Users group) 

■ Pepper Flash does not allow any read access of files 

■ Implication: Sensitive files (documents, source codes, 
etc.) can be stolen 
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Sandbox Limitations > Registry Read Access 


■ Firefox Flash allows read access to registry keys that 
are accessible from the user's account. 

- The sandbox process token still has access to some 
keys (such as those accessible to the Everyone and 
Users group) 

- There is a hard-coded policy rule that allows read 
access to major registry hives: 

SubSys tem=SUBSYS_REGISTRY 
S eman tics=REG_ALLOW_READONLY 
Pattern="HKEY CLASSES ROOT*" 
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Sandbox Limitations > Registry Read Access 

■ Chrome Flash allows read access to the major 
registry hives mentioned above. 

- The sandbox process token still has read access to 
these registry hives 

■ Pepper Flash does not allow any read access of 
registry keys 

■ Implication: Disclosure of system configuration 
information and potentially sensitive application data 
from the registry 
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Sandbox Limitations > Network Access 


■ Both Firefox Flash and Chrome Flash do not restrict 
network access 

■ Pepper Flash does not allow socket creation 

■ Implications: 

— Allows transfer of stolen information to a remote 
attacker 

- Allows attack of internal systems not accessible 
from the outside 
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Sandbox Limitations > Policy Allowed Write Access to 

Files/Folders 

■ Firefox Flash contains default policy rules that grant 
the sandbox process write access to certain folders 
and files 

■ Some are third party applications 

■ Implication: Control the behavior of Flash or other 
applications 
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Sandbox Limitations > Cupboard Read/Write Access 

■ Both Firefox Flash and Chrome Flash do not have 
clipboard access restrictions set in their job objects 

■ Firefox Flash's SandboxClipboardDispatcher also 
provides clipboard services 

■ Pepper Flash does not allow clipboard access 

■ Implication: Disclosure of possibly sensitive 
information 
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Sandbox Limitations > Write Access To FAT/FAT32 
Partitions 

■ FAT/FAT32 partitions have no security descriptors 

■ Limitation of all Flash sandboxes 

■ Implication: Propagation capabilities 

— Dropping of malicious files into FAT/FAT32 
partitioned USB flash drives 
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Sandbox Limitations > Summary 


■ Limitations and weaknesses still exist 

■ Still possible to carry out information theft 

■ Pepper Flash is the most restrictive 
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Digging Deep Into The Flash Sandboxes 

SANDBOX ESCAPE 
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Sandbox Escape > Local Elevation of Privilege (EoP) 
Vulnerabilities 

■ Particularly those that result in kernel-mode code 
execution 

■ Multiple interface to kernel-mode code are 
accessible to the sandboxed process 

■ See "There's a party at RingO, and you're invited" by 
Tavis Ormandy and Julien Tinnes. 
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Sandbox Escape > Named Object Squatting Attacks 

■ Crafting a malicious named object that is trusted by a 
higher-privileged process 

■ Tom Keetch demonstrated named object squatting 
against Protected Mode IE on "Practical Sandboxing 
on the Windows Platform" 
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Sandbox Escape > IPC Message Parser Vulnerabilities 


■ First code running in a privileged context to touch 
untrusted data 

■ Code that parses the IPC message and code that 
deserializes parameters are interesting 

■ All IPC implementations are open source 

■ Example: SkBitmap deserialization bug discovered by 
Mark Dowd in Chrome 
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Sandbox Escape > Policy Vulnerabilities 


■ Policies that allow write access are potential vectors 
for sandbox escape 

■ Scenario: Registry key 

- Does it contain configuration entries used by 
higher-privileged applications? 

■ Scenario: Folders 

- Can you overwrite executable files? 

- Does it contains configuration data used by higher- 
privileged applications? 
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Sandbox Escape > Policy Engine Vulnerabilities 

■ Decides what potentially security-sensitive action to 
allow/deny 

■ Policy engine vulnerabilities can be used to evade 
policy checks 

■ Example: REG_DENY policy in Adobe Reader X can be 
bypassed due to lack of canonicalization (CVE-2011- 
1353) 

- Bug we discovered and demoed at BH USA 2011 

— Also independently discovered by Zhenhua Liu of 
of Fortinet's Fortiguard Labs 
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Sandbox Escape > Policy Engine Vulnerabilities > CVE- 
2011-1353 

■ Registry entry to disable/enable the Reader X 
sandbox: 

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Privileged 
bProtectedMode = 0 (disabled), non-zero (enabled) 

■ There is an allow-any policy for 
"HKCU\Software\Adobe\Acrobat Reader\10.0\*" but 
there is a deny-access policy for the Privileged key: 

Semantics: REG_DENY 

Pattern: HKEY_CURRENT_USER\Software\Adobe\Acrobat 
Reader\10.0\Privileged* 

■ However, the deny-access policy can be bypassed: 

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\\Privileged I 
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Sandbox Escape > Service Vulnerabilities 


■ Services exposed by higher-privileged processes are a 
large attack surface for sandbox escape 

■ Example: Untrusted pointer dereference in Chrome 
Flash broker (CVE-2012-0724, CVE-2012-0725) 

- 2 bugs we discovered last March 2012 

- Also independently discovered by Fermin J. Serna 
of the Google Security Team 
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Sandbox Escape > Service Vulnerabilities > CVE-2012- 
0724, CVE-2012-0725 

■ 2 service handlers in Chrome Flash broker accept a 


SecurityFunctionTableA pointer (1 st parameter) 


Simple IPC 
Message ID 

Parameters 

Purpose 

0x2B 

VOIDPTR sec_func_table 

Broker a call to AcquireCredentialHandlesA() 

0x2D 

VOIDPTR sec_func_table. 

Broker a call to FreeCredentialsHandle() 


ULONG32 cred_handle_lower. 



ULONG32 cred handle upper 



■ The pointer is fully trusted and dereferenced inside 
the service handlers in a call instruction: 


Service_0x2B_AcquireCredent±alsHandleA: 

mov reg, [ sec_func_table] ; sec_func_table is fully controllable 

call [reg+OCh] ; sec_func_table->AcquireCredentialsHandleA() 

; reg+OCh is fully controllable! 
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Sandbox Escape > Summary 


■ Involves exploiting a weakness in a higher-privileged 
application 

■ Permissive policies and improper handling of 
untrusted data are prime examples of weaknesses 
that can lead to a sandbox escape 

■ The sandbox mechanisms used by higher-privileged 
processes such as the IPC, policy engine and services 
are potential vectors for sandbox escape 
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Sandbox Escape Demo 


■ RCE + Sandbox Escape for Chrome Flash 11.1.102.55 

■ Remote Exploit 

- CVE-2012-0769 for Flash info leak 

http://zhodiac.hispahack. com/index. php?section=advisories 

- CVE-2012-0779 for Flash EIP control 

https://community.rapid7.conn/connnnunity/nnetasploit/blog/2012/06/22/th 

e-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability 

■ Sandbox Escape Exploit 

- CVE-2012-0725 for Chrome Flash Broker info leak 
and EIP control 
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Conclusion 


■ Attackers now need an additional sandbox escape 
vulnerability to fully compromise a system 

■ Sandboxes are proven to be effective but limitations 
still exists 

■ Pepper Flash is the most restrictive 
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Thank You! 
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